What is the Zero Trust Model

Posted by onApril 22, 2019| Featured

Zero Trust is a model for IT security in which access is only granted if the connecting devices and users are confirmed to be both authorized and authenticated. This is true regardless of the location of devices or their users. While there are a variety of techniques available to implement Zero Trust, it is characterized by adherence to key principles, such as vetting devices and users before they connect.

The Zero Trust Model

While it’s been almost a decade since the term was coined by
Forester in 2010, Zero Trust remains relevant. In fact, the Zero Trust model
has become a key way for organizations to help keep their network resources
safe.

Under Zero Trust, everything is viewed as suspect. Whereas, for
example, other models of network security might only account for devices
outside your network being cause for concern, the Zero Trust model views every
device and its users with suspicion. This adds a layer of protection to
organizations’ networks and consistency between the user experience for connecting
to resources inside or outside the network.

Why Do Organizations Need the Zero Trust Model

Today’s network resources are often spread out and include
cloud-based resources. Often the resources accessed in the cloud cannot be
protected by traditional layers of network security. Accounting for the fact
that those accessing these resources might not be on an office Wi-Fi network
but anywhere, even an insecure public network, this increases the risk of devices
owned by trusted users being compromised, allowing outsider and insider threats
to infiltrate an organization’s network. Thankfully, Zero Trust Techniques can
extend to protect cloud hosted applications and data. For more information on
how the Zero Trust model can prevent insider threats, read Impulse’s article “Insider Threats
and the Zero Trust Model.”

Zero Trust Techniques

The Zero Trust model advocates for a number of techniques that enable an organization to know who and what is using their network. This technique views everything on a network with suspicion. It advocates accomplishing this with cyber security techniques including the following:

Network segmentation: Segmenting a network into different zones can limit the impact if the network is compromised. An attacker trying to go East-West within the network will not have access outside of the zone they compromised.

Using techniques like Software Defined Perimeter (SDP) can even make networks so segmented as to have a “perimeter of one.”

Least-privilege
access: Granting users access to only the resources they need can help keep
critical resources from being compromised. If a user’s credentials are
compromised, least-privilege access narrows what the attacker can access.

Ensure
secure access: Use data about the device and its user to make sure a
device’s connection is secure—this would include a technique such as
mutual-TLS, where the client and server authenticate each other. Also implement
techniques like multifactor identification to help ensure users are who they
claim.

“Black
cloud:” By effectively using a Deny-All firewall that dynamically permits
access to application resources to only vetted client devices and users, many
common network-based attacks can be prevented.

Note that most traditional VPNs do the opposite of what’s suggested by Zero Trust. Once connected via a VPN, you effectively have the same access to a corporate network as you would in your office.

SafeConnect Software Defined Perimeter

Impulse’s SafeConnect Software Defined Perimeter (SDP) abides
by the Zero Trust principles listed above and is a more secure alternative to
traditional VPNs. SafeConnect SDP delivers Zero Trust using a software-as-a-service
model that allows users to access their corporate networks from anywhere while
protecting valuable data from internal attacks.

To learn more about SafeConnect SDP and request a 30-day trial subscription, visit Impulse’s SDP page.